Document security and credential management in main docs

Updated README.md: - Added prominent security warning about config.yaml containing secrets - Clarified that config.yaml is gitignored and never committed - Added step-by-step Quick Start with security notes - Added "Security Note" section listing protected files - Added Documentation section linking to all guides including SECURITY.md - Added note about API keys stored in ~/.llm/keys.json Updated QUICKSTART.md: - Added security warning box when copying config.yaml - Explained that file contains secrets and is gitignored - Added reference to SECURITY.md for complete guidance Updated MASTODON_SETUP.md: - Added prominent link to SECURITY.md at top of Security Considerations - Clarified that credential files are gitignored - Added note about *_clientcred.secret and *_usercred.secret files All documentation now clearly explains: - Where secrets go (config.yaml, ~/.llm/keys.json) - What's protected by .gitignore - Where to find complete security information (SECURITY.md) - How to safely configure the bot Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 17:26:43 -07:00
parent ff5ac21f68
commit 98eef7bf5c
3 changed files with 66 additions and 9 deletions
--- a/MASTODON_SETUP.md
+++ b/MASTODON_SETUP.md
@@ -313,9 +313,12 @@ python -c "from src.govbot.db.models import init_db; init_db('govbot.db')"

 ## Security Considerations

+**📖 See [SECURITY.md](SECURITY.md) for the complete security guide.**
+
 ### Credentials

- **Never commit** `config/config.yaml` to version control
+- **Never commit** `config/config.yaml` to version control (it's in `.gitignore`)
+- **Never commit** `*_clientcred.secret` or `*_usercred.secret` files (also gitignored)
 - Store credentials securely
 - Use environment variables for production:
  ```bash